security: multiple reported CVE fixes (#1515)

* update out of date license * update typing / refactor * fix arbitrarty path injection * use markdown sanatizer to prevent XSS CWE-79 * fix CWE-918 SSRF by validating url and mime type * add security docs * update recipe-scrapers * resolve DOS from arbitrary url * update changelog * bump version * add ref to #1506 * add #1511 to changelog * use requests decoder * actually fix encoding issue
2025-10-31 10:13:32 -04:00 · 2022-07-31 13:10:20 -08:00
parent 483f789b8e
commit 13850cda1f
23 changed files with 401 additions and 118 deletions
--- a/frontend/components/Domain/Recipe/RecipeInstructions.vue
+++ b/frontend/components/Domain/Recipe/RecipeInstructions.vue
@@ -197,7 +197,7 @@
              <v-expand-transition>
                <div v-show="!isChecked(index) && !edit" class="m-0 p-0">
                  <v-card-text class="markdown">
-                    <VueMarkdown class="markdown" :source="step.text"> </VueMarkdown>
+                    <SafeMarkdown class="markdown" :source="step.text" />
                    <div v-if="cookMode && step.ingredientReferences && step.ingredientReferences.length > 0">
                      <v-divider class="mb-2"></v-divider>
                      <div
@@ -219,8 +219,6 @@

 <script lang="ts">
 import draggable from "vuedraggable";
-// @ts-ignore vue-markdown has no types
-import VueMarkdown from "@adapttive/vue-markdown";
 import {
  ref,
  toRefs,
@@ -245,7 +243,6 @@ interface MergerHistory {

 export default defineComponent({
  components: {
-    VueMarkdown,
    draggable,
  },
  props: {